Leah Culver of Breaker and Tom Sparks of YC Answer Your Questions About Security and Podcasting

Leah Culver is cofounder and CTO of Breaker, which is a social podcast listening and discovery app. They went through YC in the Winter 2017 batch. Leah’s also an author of both the OAuth and oEmbed API specifications.

Tom Sparks is an engineer on the YC Software team. He also cofounded Cryptoseal which went through YC in the Summer 2011 batch and was acquired by CloudFlare in 2014.

Subscribe

Transcript

Craig Cannon [00:00] – Hey, how’s it going? This is Craig Canon and you’re listening to Y Combinator’s Podcast, today’s episode is with Leah Culver and Tom Sparks. Leah’s the co-founder and CTO of Breaker which is a social podcast listening and discovery app. Breaker went through YC in the Winter 2017 batch. And Leah’s also an author of both the OAuth and oEmbed API specifications. Tom’s an engineer here on the YC software team and he also co-founded CryptoSeal which went through YC in the Summer 2011 batch. They were later acquired by Cloudflare in 2014. The first part of this episode is about security and the second part is about podcasting. We answered a ton of questions from Twitter so hopefully we got to yours. Alright, here we go. How about we start with some questions from Twitter, I actually think this one might’ve been on Facebook so Brady Simpson asked, “How do we deal with the ever increasing pressure from governments trying to get into devices?” Tom, do you have an opinion on this one?

Tom Sparks [00:56] – I do so I think one of the most important things to think about is that some of this is just legislation based. However, some vendors do actually care about the privacy and security of their users. Apple’s been pretty good about it. Microsoft has actually done a lot of work for this. Previously when Blackberry was still a thing, they were basically number one but right now Apple’s pretty much the most consumer friendly in terms of security for just your personal devices, they give you a lot of options, they do a lot of stuff behind the scenes to make it really easy. Your passcode is actually backed by some really really cool stuff, your fingerprint reader on your phone is pretty simple, it works pretty much all the time. That’s easy security stuff. The government trying to subpoena the information from your devices is a lot bigger can of worms and it goes back to the constitution essentially. Like fourth amendment, fifth amendment stuff. Search and seizure is really up in the air with electronic devices. This goes all the way back to the 1960s in terms of personal privacy. In the 60s, the government came up with something called ECHELON, I believe and that was basically trying to get data to spy on spies in the 90s it was Clinton trying to do stuff to catch more spies basically and with email and stuff becoming more and more prevalent, they just put in this giant apparatus to do surveillance on the American population. Vendors, when they tackle this, have to go well what can we do without

Tom Sparks [02:53] – ticking off the government, Apple’s done a good job of basically saying nope, we’re not going to give you the keys to things, if you want to get into somebody’s phone, you’re going to have to basically get around the protections we’ve put in because we don’t want to make something that’s intentionally insecure and they’ve done pretty well with that. They’ve gotten some flack from some people.

Craig Cannon [03:14] – As a lay person, what precautions are you taking with your own data?

Tom Sparks [03:17] – For the most part, as long as you use the key code and any sort of biometric authentication on your devices, you’re in an good spot. If you don’t do any of that, you’re just kind of in the wind. The government has pretty deep ability to surveil you so your phone is probably not going to be the vector they go after the most unless you’re sending encrypted messages and stuff, you’ve got signal. They probably want to see what you’re doing but if they can subpoena you and you don’t have good protection on your phone, they’re going to see what’s there. They can’t make Apple decrypt what you’ve got. If you’ve got an Android phone, you’re much less well off. It’s really just legislation and using good technology. I believe the Pixel 8 or what is it, the new Samsung phone has some pretty neat stuff built into it that’s got good security.

Craig Cannon [04:30] – What about you, Leah? Do you do anything in particular?

Leah Culver [04:35] – Actually, so I have an iPhone and I have some little paranoia things. I know how to turn off the phone so if I was like panicked. I actually just got the iPhone 10 so I have the facial recognition but I’ve always tend to get the latest iPhone so I had the touch ID as well and the interesting thing is I think it’s much easier for law enforcement to access your phone via touch ID like you’re saying through Touch ID or facial recognition but the nice thing Apple does is if you have three failed attempts or if you shut off your phone, you have to reenter your passcode and that’s much harder for them to access so I’ve practiced like powering down my phone, I tend to only put one of my thumbs in the thumbprint so if I needed to I could use my other thumb and just pretend, “Oh, I’m nervous, it’s not working,” until it locks me out, I don’t know. Is that all weird and paranoid?

Craig Cannon [05:23] – That’s great.

Leah Culver [05:27] – I feel like it’s the price you pay, it’s the trade-off for using some of the convenience features.

Craig Cannon [05:33] – Yeah, but what about the company side? At Breaker, how do you guys think about security?

Leah Culver [05:37] – Sure, that’s a great question. We basically follow standard web service practices. We have an API in the back end. On the front end, basic iOS stuff, so big thing for me is keeping private data in the key hain as an iOS developer and not in any other local files especially not in NSUserDefaults or putting it in info.plist file, don’t put stuff in there. You can unzip an app directory to look at anyone’s info.plist which is great, I actually use it to find out what other apps are doing for certain like Apple specific settings because they have these weird configurations that you can do for in operability with other apps and it never seems to work so I was just like download people’s apps and unzip them and look at their info.plist. But yeah, just making sure that as an app developer, when you’re storing sensitive data such as passwords, user names, any PII, personal identifying information, about people that you are doing so in a thoughtful way. And I think there are a lot of best practices about this and I don’t want to go into all of them but it’s pretty easy to just Google and find out what they all are. And just to be aware of it, just to know that you have sensitive data and power and to be really aware that you have a responsibility as an app developer to protect that data and actually, it was interesting. I was thinking about cloud services and the government accessing cloud services and my last job was at Dropbox and a lot of other companies do this as well, they publish all of the requests from the government

Leah Culver [07:16] – so the legal team publishes them all online through a disclosure report every year so you can see what gets asked for. Most companies who are behaving well don’t want to be overly generous with providing data to the government but under certain legal conditions, it is necessary.

Craig Cannon [07:46] – Cool. Well, let’s go to Brady’s second question then. He asked, “Why is auth tech changing every few years, from YubiKeys to two factor auth to thumbprint to face recognition, what are we optimizing for, speed or reliability or security? What’s next?”

Leah Culver [08:03] – Or just what’s cool. Honestly, like the Face ID thing I think I like the animoji, making animals talk. I like that more than the actual security part of it. It’s a trade-off between convenience and security, so I think a lot of these new technologies coming out are for convenience. Let’s hear Tom’s thoughts on these things too.

Tom Sparks [08:30] – All this stuff is actually really old. It’s just the thing that we’re actually using it now like I went back and looked and two factor auth started with one time passwords. That stuff was originated in the 1880’s so it’s really not new. Really what it is is people are becoming aware of their own security, they want to make sure that whatever personal data they have doesn’t get out there. Most people have really terrible passwords and they’re like, “Oh okay, even if I have this terrible password, if I use this little thing, it will keep my personal data safe.” I think that’s good. I don’t think that the way that we implement it is necessarily what matters, I think it’s just the fact that people are using it more and becoming more aware. Speed and reliability are really important. When you look at what’s available, I think if you go back, I have a laptop from the 90s that has a fingerprint reader on it, we never really used it but it was a thing that you could use, it worked pretty well actually. Now it’s just more ubiquitous. There’s more multi-factor auth and things. Looking forward, we’ll even see DNA ID. Sensors are getting smaller and smaller all the time. You can detect so many different factors. Humans have unique chemical fingerprints even so you could have something where it’s like, “Oh my phone smells me.”

Leah Culver [10:09] – Yeah, heart beats is one I’ve seen recently that’s pretty cool, what’s interesting about this is like it’s not just, we talked about two factor authentication, what it really is is multi factor authentication and having those factors be of different types. I’m going to try and remember the different types. But there’s something you know, something you are, like biometric and what’s the other one, something you have so device, so device, biometric and something you remember like a password and so having two different factors, is the key for two factor authentication. A YubiKey is a device or if you have authenticator on your phone, like an authenticator app, that’s like a device, the thumbprint, facial recognition is biometrics and there’s pros and cons to each, right? So what I find super interesting is I love the convenience of the face and the thumbprint but what’s really nice about the device and something you remember is you can replace it so if it were to get stolen, so if someone takes a cast of your thumbprint, it’s a lot harder to change your thumbprint than it is to change your password, right?

Craig Cannon [11:13] – Change your face.

Leah Culver [11:13] – A nice security feature is the ability to change something if you feel like it’s been compromised to make a new password or to change up your device. The device one’s a huge pain in the ass because every time I get a new iPhone, I spend the next like hour switching over all my authenticator keys. It’s like oh my gosh, it’s such a pain.

Craig Cannon [11:33] – I just did it, did you read the post about the mask faking out the iPhone X?

Leah Culver [11:38] – Oh my god, that was so freaky.

Craig Cannon [11:40] – Yeah, have you tried to replicate it?

Leah Culver [11:42] – Do you have mask making materials? We could do it right now.

Craig Cannon [11:43] – I could work on it.

Leah Culver [11:47] – Yeah but it’s super scary ’cause it’s not like you’re going to change your face, right so having it as a second factor or having that as, I guess it’s the first factor, right, it’s the first protection but having the passcode is the back up for that is super important, something that you could change, right?

Craig Cannon [12:01] – I’ve just been wondering if there’s a line for you guys where you guys are like, “You know what? Face ID, I’m good.” I don’t need this right now because, just like you said, there’s a point at which if someone hacks you or figures out a way or some exploit, it’s open forever. Is the convenience also for security minded people just so high that you opt into it?

Leah Culver [12:23] – I love the convenience, I’m a big 1Password user so I don’t actually know any of my passwords except my own password and now it’s two taps I think. You tap once on the button that says look up my password and it does the facial recognition on 1Password. And then you tap the password that you want to enter. Because it knows what site it’s on or whatever. It’s just so fast, just tap, tap whereas I’ve been using a password manager for ages and it’s such a pain to like switch apps, get the password, copy it, paste it. The convenience is phenomenal. But what is the risk, I hope no one takes a mask of my face. Do you use any two factor devices or biometric stuff?

Tom Sparks [13:12] – Yeah, I don’t do as much data center stuff anymore but definitely done a lot of the biometric auth stuff. Funnily enough, a buddy of mine was the first person to break the Touch ID on the iPhone. He also recently published something about the guys who did the mask thing.

Leah Culver [13:31] – What do you mean by break? He copied someone’s fingerprint.

Tom Sparks [13:36] – Basically yeah. There’s a few things that Apple did to try to make sure that there’s some liveness and some other stuff, but it’s hardware at the end of the day so it’s not, it’s a little fallible, but it’s not bad.

Leah Culver [13:49] – There’s the setting on the facial recognition where if your eyes are closed, it won’t read your face which is really creepy, I assume that’s to protect yourself. You could just close your eyes.

Craig Cannon [14:01] – It’s so obvious. It’s not like the left thumb, right thumb thing that you’re talking about. If you show your phone to your face and you close your eyes, someone knows that you’re trying to fake it.

Leah Culver [14:10] – I guess but I guess did you guys know. It’s a really weird feature, yeah.

Tom Sparks [14:24] – We deploy best practices. We don’t do anything super super scary. We just make sure that we know where our users are. We make sure that people use strong passwords. We use strong encryption.

Craig Cannon [14:41] – VPN.

Tom Sparks [14:44] – VPN is an easy one. We have some dedicated hardware and stuff for VPN-ing so that that is a little harder to remotely get into, but best practice stuff, we stick to it. We do not have nuclear secrets or anything like that. I’m not worried about someone parachuting in with machine guns and chainsaws. Our stuff is pretty open, if you’re a YC founder, your data is well protected and we want to make sure that that stays that way but we’re not going to do DNA ID to get into something right so we do a pretty good job of just making sure that everything’s buttoedn down and code reviews, that’s the biggest thing. That’s all pretty easy, our developers are great. We’re lucky in that aspect. It’s a really good team so that helps.

Craig Cannon [15:48] – I would agree with that. Rick also asked another question. He asked, “What is the future of security for start ups?” Do you guys have strong opinions here?

Tom Sparks [15:58] – There’s a good trend of people just not reinventing the wheel. For security, reinventing the wheel is pretty much the worst thing you can do. Every time we see a big hack, it’s because somebody did something with, “Oh, I’m going to be really clever and reinvent this thing and cool,” you forgot this one thing where if you add an extra zero or something like hey, look this password’s in the clear so that happens. I think outsourcing auth is a really important thing. OAuth is great, SAML is great. Most companies don’t really need to worry about auth in that way, Facebook auth is great, it’s ubiquitous. It’s pretty solid, well rounded company. It’s everywhere, you don’t need to reinvent that wheel. Moving forward, really it’s just going to be what companies need, most startups don’t need crazy military grade stuff, they don’t need HSMs. They don’t need TPMs even, your phone has a TPM in it. But it’s so ubiquitous that you don’t need it. So having something like OAuth, just removes the need for really trying to have to build in a lot of security. Beyond that, a lot of CIs, continuous integration softwares have things where you can just turn on code checking, you can do easy bounce checking. You can do a lot of security stuff just automatically. And it’s really nice, most developers do care somewhat about it, but when you get the intern in and they’re like, “Oh yeah, I wrote this great function that has one thing in it,” they’re not necessarily going to know so that’s why having some oversight is good.

Tom Sparks [17:50] – But framework’s eliminate a lot of these problems. There’s a lot of really great framework’s out right now. Now more than ever, there’s just a lot of really good stuff. Go has some pretty interesting stuff in it. Just in terms of programming level security. I made the joke the other day that if you need random numbers, the best way to get them is to use a language that doesn’t have any sanity checking in it all. And new developer because they won’t even know that they don’t need to do memory management and there’s something already there so yeah.

Craig Cannon [18:25] – And Leah, would you advise the same thing?

Leah Culver [18:27] – I totally agree with Tom, I think when you’re looking to build a website or an app or something, to use best practices is the way to go. And these things are sort of open standards and open protocols for a reason because large teams of people work on it. I worked on OAuth the first version. Which is maybe not as good as subsequent versions, but I worked on the first version but it was just a large team. I’d say at any given time we had 20, 30 people working on different parts of it and I’m personally not a security expert, I’m a security hobbyist. It was fun to work with folks from like Google, Yahoo, Mint dot com, financial institutions who definitely had more at stake in terms rather than working on a social network at the time, little was at stake in financial data. It was nice to have them sanity check, especially all the algorithms for hashing and to make sure that we were doing things in a way that could protect against known attacks, things that people knew were vulnerabilities and vectors. But nowadays as just an app or web developer, you don’t have to think about any of that. To use Facebook login, you download an SDK and you like follow the instructions and it just works and it’s secure and fantastic and let Facebook deal with it. It’s really great. That being said, I do think there is still room to innovate on the user experience side of the security. That’s when we talk about things like Face ID or like what can we do now that we couldn’t do 10 years ago that we would’ve like to do, right? Some of that stuff is fun to play with.

Leah Culver [20:15] – I’m really interested, so after working on OAuth, I’m still really interested in user login. Especially prevented against targeted attacks is like one of my fun hobbies and so some of the stuff you see now that I’m super interested in is when you log in on a new device that you get an email about it, if your password changes that you get notified. How do you prevent someone changing the email address and changing the password at the same, too close together. Some of those things are just product things to think about. If you’re developing a product that you need to be secure, what can you do in the case of both just general attacks to get data from your database or the more targeted attacks which is, I don’t know why that’s interesting to me. I just find it fascinating, especially in the age of Instagram celebrities and things. I think it’s pretty interesting and people in general aren’t super good about security. How can we as app developers protect someone in the case that they do have a terrible password?

Craig Cannon [21:19] – Well, I think you saw it with people porting phone numbers for crypto stuff in particular. Those are giant.

Leah Culver [21:23] – Oh my gosh. Those are horrible, it really brought to attention how bad the cell phone companies were prepared for multi-factor authentication, like I don’t use my phone for multi-factor authentication. I would highly recommend against it.

Craig Cannon [21:38] – You mean SMS?

Leah Culver [21:38] – Yeah. Not using SMS or phone calls or anything like that as a factor.

Craig Cannon [21:41] – So you use Google Authenticator?

Leah Culver [21:46] – Yeah, yeah or a similar application, there’s Authy. There’s some other ones that are pretty good.

Craig Cannon [21:52] – Okay.

Leah Culver [21:52] – Or YubiKey or any of those. There’s a lot of other options. When you’re relying on someone who gets probably paid minimum wage to be phone support. I don’t know if I would be counting on that.

Craig Cannon [22:06] – I know, totally. Do you have crypto thoughts in general so say if I told you this before the podcast, Tom. I get a name wrong every time, Safalahe asked what are the most recent security concerns in crypto or cryptocurrency so be clear.

Tom Sparks [22:24] – It’s just new. People are getting used to it. People are inventing their own languages to go along with them, what we were talking about earlier with a Ethereum the other week where somebody deleted a really important function without a contract. That stuff will happen and people will just take that lesson and move on. I don’t think cryptocurrencies are necessarily more or less secure than anything else. Cash, if you leave it on a table, somebody’s probably going to walk off with it, we saw a lot of really Bitcoin stuff go away because people were using horribly insecure hosting stuff, hopefully people don’t continue that. But I’m sure it will, people leave their wallets with passwords like “1234” on their laptops. I have seen wallets stored on public anonymous FTP sites with a password of like “1.”

Leah Culver [23:30] – Where are these sites?

Tom Sparks [23:31] – Yeah.

Craig Cannon [23:31] – Totally.

Tom Sparks [23:35] – You can’t protect users from themselves, really. I don’t think Crypto specifically has a problem. It’s interesting to see how people are using it. It’s nice that you can have it be so ubiquitous and it brings power back to the people who use it a little bit versus like with cash, you’re like, “Oh, a central bank. You have to do this.” I’m not a crypto libertarian on this issue at all.

Leah Culver [24:07] – I actually, I’m fascinated by, I love the block chain as a technology from a database Leger perspective. And actually I have a podcast to recommend since I work on a podcasting app, yeah. There’s a show called Invest Like the Best and they have a three part series called Hash Power and it’s on the technology behind the block chain and Bitcoin and also investing and they have a couple other topics that they cover, a broad look at everything to do with crypto currency and I loved it because I knew the general idea but I didn’t the history or so much in depth about it. But it was excellent and what it interesting to me personally is distributed versus centralized systems and how they play out, I feel like the block chain is the first really distributed system we’ve seen become quite popular in recent memory. The internet itself is a large distributed system. I can’t say it’s the only really interesting distributed system but what we’ve been seeing with the internet is a centralization, we’ve been seeing centralized power especially with the large tech companies now, really consolidating, right, like Facebook having eight of the top 10 apps in the app store. Large amassing of power in user data with very few companies and what’s interesting to me about the block chain is taking that back a little bit. And there is some centralization around the block chain. There are mining conglomerates, there are services that will host and store your data for you so cloud services instead of using a physical device to store your private

Leah Culver [25:44] – keys, you could use a cloud service. And what’s interesting about that is like the insurance factor of it so when you think about banks and how your money is insured, seeing these companies come up with, “Now we’re going to insure cryptocurrency.” It’s like oh, this is interesting, right, it’s basically like rebuilding a banking system built for the internet age. It’s super interesting and I’m not sure how it’s all going to play out and I agree, some of the biggest security concern right now, the number one is user error, right? I totally agree with that, I think that the fact that it’s decentralized protects against a lot of fraud or malicious intent by centralized power. But it makes it really hard to recover your data if anything happens, yeah, so fascinating.

Craig Cannon [26:41] – This has happened a bunch on private Slacks around ICOs. People post fake, they’ll steal the avatar from the creator and create an account in that Slack and then post an address like a minute before the ICO would happen and it’s just like this torrent of money flows to them and it’s all a scame, it’s like, there you go, gone.

Leah Culver [27:03] – Yeah, oh wow, yeah, just be very careful. I have no idea how one establishes trust from cryptocurrencies other than by using centralized systems. It’s pretty difficult.

Craig Cannon [27:13] – Yeah, I don’t know. Well you did mention podcasts and we should talk about podcasts here so let’s jump up to Kat’s question. @KatManalac partner at YC threw a question out. Let’s start with the first part, “What are you favorite podcasts?”

Leah Culver [27:28] – That’s a great question and actually my big thing I want to just put a plug for Breaker here. You should follow me on Breaker and you can easily see what my favorite podcasts are. What’s great about Breaker is it’s social. You can see what people are listening to. You can see what they subscribe to. You can see what people are liking. You can see what podcasts episodes are hot. Actually I found this Hash Power series because it became popular on Breaker, got a lot of attention, a lot of comments and it’s not. I normally wouldn’t listen to a podcast called Invest Like the Best, but it definitely was an interesting series, so podcasts that don’t exist that I wish did. Right now on Breaker, it’s a lot of tech, a lot of start ups. It wasn’t bad in the early days with a few users. We had more True Crime, Comedy so what I guess, what I’d like, I personally love story telling. I’d like to hear more diverse stories. Stories from people you wouldn’t normally hear on podcasts, I guess that would be my request. So if you out there are a listener and you think you have something unique to say, go for it.

Craig Cannon [28:37] – Before we go further, Tom, did you have a favorite podcast?

Tom Sparks [28:41] – I don’t really do a lot of podcasts but I think my favorite equivalent of that is called The Life of Boris. It’s about this Slavic YouTube dude who posts videos and does a bunch of Q and A with his fans. It’s pretty funny because it basically hearkens back to a lot of the Cold War era stuff. It’s kind of fun, it’s pretty goofy. He talks about all kinds of stuff, like the gambit of video games, cars, cooking. I learned how to cook a bunch of Russian stuff from it. I kind of like that kind of variety. But otherwise, I think the podcasts that are missing for me are just like really in depth like security stuff. There’s a lot more blogging around that kind of stuff because you can’t really show a breadboard on a podcast. But I definitely would like to find out about it. I’m definitely interested in ways that I can find new stuff so I’m definitely going to spend a little more time with Breaker.

Leah Culver [29:55] – Yeah, I’ll second the request for a security podcast, though. I listen to a ton of Swift podcasts and a couple Python ones. I’ve been less able to find more general security dev ops, that sort of thing. That’s definitely an area that someone could make a podcast for.

Craig Cannon [30:11] – Yeah, I’ve been so impressed with Breaker’s search. That’s my favorite part, by far. Yeah, I really like that. Kat asked a second question, and she asked, “What mistakes did you make with your first company that you know not to repeat on the second?” And Tom is a founder as well, so this is a valid question for both of you.

Leah Culver [30:29] – Yeah, I’m curious what Tom has to say.

Tom Sparks [30:32] – Oh, mistakes? I don’t know, let’s see, I’ve been doing startups since I was 15 years old so, I’ve seen a lot of mistakes. One of the biggest ones is just poorly spending your money. I worked at a startup where we had a shag-carpet-walled music room. I’m pretty sure that I knew what else happened there. We spent ridiculous amounts of money on things. We bought Napster for like a month.

Craig Cannon [31:05] – What, what?

Tom Sparks [31:06] – Yeah, yeah, right, I know. Acquired Naptser, for a month, and then gave it back. So there’s all kinds of weird stuff like that that happened in the early boom. Now I think money, even though it’s pretty easily available to entrepreneurs, I think it’s still paying attention to where you spend your money is key. Some of PG’s early stuff about, “Don’t go get an office. Work out of your house.” A lot of the YC ethos is really stuff that I recommend people stick to because it’s so easy to be like, “Oh yeah, I got all this money and I’m going to go get a flashy car. I’m going to go get a nice office. I’m going to go buy the best screens and stuff for me.” And then they just spend their time derping around on trying to be whatever they feel makes them

Tom Sparks [31:55] – a successful founder rather…

Leah Culver [31:57] – Yeah, playing startup is is what I’ve always called it.

Tom Sparks [32:00] – Scenestering, I think is kind of another good term for it. Those parties are fun but they don’t get your company anywhere.

Leah Culver [32:09] – Go to other peoples… Parties or places, what have you. Just take the free… Yeah, so I’m the opposite. I’m so frugal. All of my startups have pretty much run on, I don’t know… steam, air? Even Breaker is still very frugal as a company, but I’ve definitely had other issues. My one is sort of the opposite. It’s asking for help. Going out and trying to build… I think I’ve always thought, “Oh I can build it. I should just build it.” As opposed to, “How do I get other people involved in my company? How do I have other people care about this? How can we build something better together? How can I listen more to users? How can…” Now everything we do at Breaker is super user-feedback focused. It’s just, “What do people want? Let’s just build what everyone wants.” And it’s just a totally different approach than, “I’m building something that I want for myself,” right? And it’s been much more rewarding. Building things because people actually are asking you for them.

Leah Culver [33:09] – It’s easy to do. It’s a little hard to get over the ego of, “Oh there’s a bug here and someone’s talking about it,” or, “Hey, we don’t have this feature yet, I’m sorry.” But, that’s really been a huge change for me. The other thing is more personal. My first few startups, I struggled with myself as a founder. And not really fitting the mold of what I thought a startup founder would be like. Same for developer. Starting off even as a developer. I used to get these programming books that were like, like developers like us. And they’d have pictures on the front that looked nothing like me. So I was like, “I don’t know.” So, it’s figuring out… And it’s not just the way I look, but it’s also my personality. I don’t feel like I am a startup founder. But, then there’s also… Coming to terms with that is like… I have this mantra every day. Then I get up and I say, “I can only be the best person that I am.” Sort of be true to myself and that I don’t have to be exactly like Steve Jobs or Mark Zuckerberg or Elon Musk. Right, like that’s never going to happen. So, I figure…

Craig Cannon [34:20] – I would say that’s also a good thing, yeah.

Leah Culver [34:23] – Yeah, but you know there are definitely a wider variety of founders out there that don’t get as much glory in the press and the media, that are still phenomenal founders running huge companies. Just maybe less exciting than…

Craig Cannon [34:38] – Yeah, or just less flashy. It’s a chance and maybe running a business that’s not particularly sexy, which is always hard. You mentioned user testing. Now that you guys are a little bit bigger than you were during YC, giving it to me and being like, “Hey, what do you like about this?” How are you doing user testing at a larger scale now?

Leah Culver [34:57] – We have several different ways that we collect data from users. We have just an in-app bug reporting tool. It’s kind of most direct. You can actually just send us an email. If you take a screenshot in the app it actually prompts you like, “Hey, did you see a bug? Do you want to send it to us?” Which is great. It’s a tool called Buglife. We love Buglife. We use Mixpanel for implicit user testing. This is actually, I would say, almost more valuable than what people tell you is what they do. We use it for things like testing retention, doing funnels, so knowing when people drop off in a particular… If we want them to take a particular action, what happens that they tend to not do that. A/B testing… We don’t do a ton of A/B testing. But we do, with things like search and discovery, do more A/B testing and like, “What do people actually want here? What are they actually tapping on? What are they listening to? What gets them excited?” Those are probably our two biggest tools for collecting user feedback. We are starting to do more user-experience testing. And we’re about to send out our first survey. Which I’m always a little bit like, “Ooh, I don’t know if I want to send out a survey.” I like that people reach out and give us feedback directly. We get a lot, a lot of email feedback.

Craig Cannon [36:11] – Have there been any surprises in the product you designed and how it ended up being used?

Leah Culver [36:17] – Oh, yeah, definitely. I’m trying to think of a good example, but there’s stuff every day that just… The way that I use a podcast app is not the way that everyone else does. And we, sort of in our mind, have this ideal user of who we want to be a Breaker user and it’s not a hardcore podcast listener. We’re not on the extreme of the spectrum, like you’re listening to podcasts all day and you’re very fussy about your settings. But, on the other hand, it’s someone that we want to be more long-term engaged with the product. So, it’s not just someone who’s going to drop in and listen to one episode. We really want to get people into podcasting and get people into listening to podcasts the same way that you would watch Netflix, right? We want people to be as excited about a new episode of their favorite show as a podcast as they are the next episode of their favorite TV show which is exciting and really fun and I think there’s a lot of room for podcasts to grow to really fit that. And I hope that Breaker can be part of that. The whole industry of podcasting needs to grow in order for it to be a really exciting business opportunity.

Craig Cannon [37:18] – It’s 250 million a year now in ad revenues, which is tiny considering how much people talk about podcasting.

Leah Culver [37:25] – Yes, yes, I think there’s definitely room to grow. And that was one of the reasons I started Breaker is I was looking for a market that wasn’t saturated, that wasn’t… That was growing, but could be accelerated by using technology.

Craig Cannon [37:37] – Why do you think the iOS Podcasts app is so popular?

Leah Culver [37:41] – Because it comes installed on the phone by default.

Craig Cannon [37:42] – I know, but Apple Maps is garbage and Apple Maps got usurped by Google Maps, right? I guess it might be better now. I haven’t used it.

Leah Culver [37:49] – Yeah, well hopefully Breaker will take over and be the… Yeah, this is what we’re going for. It’s like, “How do you become better than what comes installed on the phone,” and that’s… It’s a hard problem.

Leah Culver [38:14] – I have a very strong opinion on this. And I will lay it out there. We do episode discovery, not show discovery. The distinction there is, there are a lot of podcasts being produced these days where a particular episode will really get you. It’s more topic-based episodes or story-based episodes. There’s a few podcasts that are like… Many podcasts that are serialized formats or have a longer story to tell, but when we’re talking about individual stories, I think what gets people hooked on a podcast is a good story. It’s like watching a good clip of SNL, right? Sometimes you just want to know what the good parts are. For us, we want to highlight the good episodes, based on users liking them, listening to them, commenting on them, and that’s what we highlight in Breaker. It’s what is hot right now. Not based on… So Apple uses editors. They have people who go in and say, “Hey, you should like this show cause we, as an Apple editor, think it…” and it’s like, “I just want to know what’s the best episode right now.

Leah Culver [39:27] – Basically, giving our pitch. That’s sort of what our goal is, to become this source of really great content. What I find interesting is, I think that podcasts are getting better in quality in terms of the storytelling and the shows. But I don’t know that they’ve quite reached the level of the Game of Thrones of podcasts. That’s one we talk about a lot. Right now we’re seeing some of these really good podcasts, but we haven’t hit the show… We’ve had Serial, which was a big popular show. A big popular podcast. It’s really a chicken and egg problem. If we had that show, would it be just distributed across all podcast networks? Could we actually make money off of that kind of show if we had a show big enough? Is there a big enough audience on Breaker yet to make it interesting to have a big show? We’re taking the approach of trying to gain a large audience using Breaker and then be able to present them with unique content that is of the quality of something like a Game of Thrones or a House of Cards or… It’s a challenge, yeah.

Craig Cannon [40:41] – Even Hardcore History is like five episodes a year? And it’s him and other staff working on that show.

Leah Culver [40:48] – Yeah, it’s difficult to produce, but it’s actually much cheaper and easier to produce a podcast than a television show. It’s like a hundred X more expensive to produce a television show than to produce a podcast, a quality podcast.

Craig Cannon [41:00] – Are you working on your own yet? Original content?

Leah Culver [41:02] – I am not a… I don’t make podcasts. I’m definitely on the technical side. I have much respect for people who are storytellers. I actually just went to a live podcast taping this weekend or a live podcast show. They were actually playing back an episode that they hadn’t aired of Love + Radio. I’ll give ’em a shout-out. It’s super interesting and I got to talking afterwards about storytelling and how it, in itself, is a skill and I just don’t have any time to work on developing that. But Craig, you have a podcast.

Craig Cannon [41:34] – Working on it, yeah, yeah. If you have any questions, I-

Leah Culver [41:36] – Do you feel like your strategy has evolved over time? Given feedback from listeners, how has the podcast changed?

Craig Cannon [41:46] – This is the second podcast that I’ve done. The first podcast I did was called Salt of the Earth and we interviewed small business owners that were funny. It was a great podcast. I had a lot of fun doing it. But finding guests was really hard. Especially because they’re often just obscure small business owners. Not only is that difficult, but then distribution becomes a real challenge. That’s super hard. Distribution across almost every podcast is super difficult. With this one, we do YouTube. And YouTube works really well. Aside from that, in terms of host style, I don’t know what you mean.

Leah Culver [42:25] – Your approach to how you do interviews ’cause it used… both interview shows, right?

Craig Cannon [42:30] – Yeah, they were both interview shows. I’ve recognized how important it is to control the energy in the room. And, as the host, it’s totally on you. A lot of people think, “Oh, I’ll just bring in Leah and Tom and they’re going to be super fun. This is going to be great!” You are both super fun, but that’s not the case. You have to have a certain energy about you and keep it going. Transitioning is always difficult between subjects. One thing that’s, maybe, obvious to the listeners and the YouTube people is that I introduce people in the podcast edit rather than having people introduce themselves because that can be a little… It kind of takes the air out of the room if someone’s not used to introducing themselves.

Leah Culver [43:09] – Oh, yeah, I guess… Would you say that startup founders are better at introducing themselves than Salt of the Earth interviewees?

Craig Cannon [43:18] – It’s totally sales, right? If you’re good at sales, you can really come and make it super engaging. But, more often than not, people are just modest, right? So, like, both of you guys wold come in like, “Hey, I’m Leah and I work on Breaker…” And it’s cool and everything but the reality is that you want to get someone hooked really early on in the podcast. And so that’s when the energy has to come. So if you start out with, “Hey, Leah, what do you do?” “Mmmmmmmmmmmm” Then it’s not quite as good. I would do that. We edit the podcasts. I think a lot of people are like, “Ah, I don’t have to edit, I’ll just go…” I think a lot of people don’t realize how edited a lot of the most popular shows are.

Leah Culver [44:00] – Oh yeah, I just did an interview on a show called HackToStart. They edit them. I didn’t realize it because it has a very natural interview type feel. I’d listened to a few episodes and I went on the show. And so I then could compare what I said versus what came out and it’s so much better what came out! Very heavily edited without sounding edited, which I thought was amazing. And I know you do a little less editing.

Craig Cannon [44:24] – Not that much. I really admire Joe Rogan’s podcast because they can keep a three-hour conversation at high energy and fun and they transition pretty well. That’s something that I’ve been trying to get better at doing but it’s difficult, especially with video, right, because the continuity becomes an issue if you’re just cutting all over the place. Whereas, if you looked at the time something was recorded for Serial, and then placed it back into the episode, it’s all over the place.

Leah Culver [44:53] – Actually that’s something I wish I saw more podcasts do. Another request for podcasts is to incorporate music. Legally, of course. Sounds, exploring audio more as an art form. I’ve definitely listened to some pieces that do that and it does make a huge difference. It’s not necessarily the best thing for interview type shows, but there are shows and stories you can tell where adding those elements in really helps.

Craig Cannon [45:21] – I would also say to podcasters, definitely transcribe your stuff because Google is not friendly to audio. And you want that index stuff right there. And it’s pretty cheap to do now.

Leah Culver [45:31] – Which is actually something we’re thinking about starting to do for Breaker too and we can get into feature ideas. We have some pretty crazy ideas.

Craig Cannon [45:38] – If you can talk about it, let’s do it.

Leah Culver [45:41] – We do want to eventually transcribe podcasts that are on Breaker which is pretty much every podcast. However, right now there’s some options where you can pay to have things transcribed either by a human or a robot to varying degrees of success but they’re fairly expensive and cost prohibitive for something like Breaker where there are millions of episodes.

Craig Cannon [45:59] – What else you guys want to talk about?

Tom Sparks [46:03] – I found a company doing what I did with CryptoSeal in 2011 now and they have more adoption. It’s kind of funny. They’re called EnvKey. They’re basically doing secret management for app developers.

Leah Culver [46:20] – I love all of the… I think there’s a huge opportunity in security to do secret management. Right now, things are just like, “Oh put in an N variable, or whatever…” It’s so bad and, for us, as soon as you have a team of more than two people you need to be sharing all sorts of private information. And with companies, if someone joins the company, you got to set it all up. If they leave, you have to somehow revoke all these tokens, right? It’s pretty terrible right now. I think there’s a huge opportunity there.

Tom Sparks [46:51] – That was the thing that we tried to address with CryptoSeal was that we had all felt the pain of managing secrets and stuff like that. And some secrets were more secret than others. But it’s still a tough problem. It’s sill something that developers hate to deal with. People still share passwords in spreadsheets and stuff like that which makes me want to hide my head in my hands. There’s technology coming out there for it. I believe, Lyft actually published something that’s actually kind of useful. It’s pretty interesting. This is an area where I have a lot of background because I’ve got a patent on it all. But it’s interesting to see what things come back around in terms of security. But, password management… Still, it’s a huge problem. Nobody really does it all that well, especially for developers. It’s a huge pain in the butt. Anything that makes that easier, I’m all in for. That’s kind of neat. Beyond that I think if somebody wants to fund a DNA sensor for your phone, I think that’s probably going to be a good market. I know that there’s some companies out there doing some more weird bio-aware sensors and I think that’ll be pretty interesting. If you look at the last five years with people paying attention to all of their sort of personal metrics and stuff. Everybody’s got a Fitbit. Everybody’s got something that tracks their steps or whatever. I think that stuff is going to be pretty interesting. It’s going to get more in-depth. Five years we’ll probably have a scale that’ll be like, “Oh, you should probably cut out

Tom Sparks [48:38] – eating this,” or “You should eat more this.” or something like that. I think we’ll see some pretty interesting consumer technologies come out of weird, potentially security, stuff.

Craig Cannon [48:48] – If you weren’t working at YC, what startup would you work on or start?

Tom Sparks [48:54] – Start, I definitely think there’s a lot of room for more security stuff. There’s a lot more things that can be done with end-user metrics. If you go back and look at… A good example for security is DDoS. It’s still a thing. It’s been around forever. The first big DDoS I remember was against eBay in like 1997 or something. That’s 20 years ago, right? This is still a problem. They’re just getting bigger and bigger and bigger. My current method of mitigation is telling people to go get Cloudflare. It’s the simplest thing. There’s going to be more stuff in that space especially as people start publishing more interesting things. I kind of think that the internet’s still in its infancy in a way because… Yeah, Facebook is kind of like microblogging for everybody, but it’s really not. It’s not that ubiquitous. Instagram actually is a little bit more ubiquitous. People take pictures of their food all the time. And while that’s kind of whatever it is, it’s interaction. I think will have people doing more sort of life blogging kind of stuff. And I think, when we see more of that, we’ll get a lot more interesting perspectives on people.

Leah Culver [50:19] – Yeah. I love this thought and I love that you’re getting into biometrics. I love passive sharing as a concept. And there aren’t very many apps currently that do it. People say, “Oh, could it be another social network?” And something I’m fascinated by and haven’t seen it done super well is… For example, Breaker and things like Spotify tell you what you’ve listened to and show other people what you’ve listened to in the past and it’s like a passive behavior. You’re not intentionally sharing that. But, there was, for a while… Path did some really interesting stuff with passive sharing. If you had these monitors turned on you could publish that. Right now a lot of the health data and sensors, even things like Fitbit, aren’t extremely social. You can see other peoples’ step counts but they’re not everything that you could potentially be sharing, but it’s questions of, “What is interesting to see?” I’m kind of a lurker, so I love… My favorite part of Breaker is seeing what people listen to. I’m like, “Ooh, so and so listened to this episode. Oh, that’s so interesting.”

Craig Cannon [51:20] – Is there incognito in Breaker?

Leah Culver [51:22] – We’re actually really discussing that pretty heavily right now. We’ve had a lot of user… When we were very small we didn’t get as much requests for privacy and now we’re getting a lot more. And so we’re figuring out how we want to do privacy on Breaker right now. If you have thoughts on it, send us an email.

Craig Cannon [51:38] – Alright, what’s your email?

Leah Culver [51:39] – Our listeners are thinking about it, feedback at breaker dot audio. You send it to feedback, I actually see every single email that goes to feedback, so don’t think it’s like going into a black hole. We actually do look at that. If you have thoughts on how you want privacy implemented… We really want to encourage people to share what they’re listening to. And passive is the easiest way to do it. You don’t have to think about sharing it. It’s not tricky. But then, also there’s this level of comfort. How comfortable are you with sharing that? I remember getting a streaming music service for the first time, actually it was Rdio. Having people see what I listen to, it’s like, “Oh my gosh, that’s so invasive” Now I’m like, “I don’t care. I listened to Hanson’s Christmas album this winter. No big deal.”

Craig Cannon [52:21] – Oh man, and if you weren’t working on Breaker, do you have thoughts on a startup you might be into?

Leah Culver [52:27] – I actually would probably work on an open source project. I’m fascinated with the idea of… Right now there’s a lot of… I’m going to sound really trite saying this, but there’s… Mobile and web development are pretty separate. I’m fascinated by projects like Swift on the server and React on the device. But I think those are a little too idealistic still. I think I would want to work on practical reusability and frameworks. And I love Swift, so I’d love to get involved with what IBM is doing with Swift on the server. Yeah, I don’t know. That’s not super exciting. I’d go a little bit more back to my open-source roots. I’ve never built a framework or worked on a language and I would love to do that at some point in my life.

Craig Cannon [53:13] – Yeah, yeah, totally. Cool! Alright guys. If someone wants to get into security or building podcatchers, what would you recommend? What should they check out?

Tom Sparks [53:25] – There’s honestly not a lot of stuff out there. I used to tell people, “Oh, you know, if you’re really that interested, go to DEF CON.” That’s not really a great idea because it’s just not. It’s fun, but the amount of learning you might get done will probably be erased by the amount of partying you do. Just trying to read through blogs and stuff like that. Honestly, Hacker News has some pretty good security stuff that gets submitted to it.

Leah Culver [54:02] – Yeah, Hacker News is a great resource. Capture The Flag activities have been super fun. That’s how I got a little more into it was trying that… I’m still terrible by the way. I’m no good at Capture The… It’s like a little bit beyond me but that helped me learn some of the techniques and some of the common exploits. And they set certed all of that. I don’t know. How close are things that you do in a Capture The Flag event to real world security issues?

Tom Sparks [54:29] – It depends upon how well they were set up. I guess I won’t really totally go into my heavy background. But, there’s a lot of stuff that you can simulate pretty easily. There’s a lot of hilarious technology that’s still around from when I was a kid that people were breaking into left and right. And you’d just laugh. A good way to see that kind of stuff is really… If you want to go into the weeds, you can look through Shodan and find something kind of interesting there. And then start to read up on how it works. IoT security is going to be a really big thing. And getting pieces of common IoT equipment is pretty easy. It’s like, maybe 10, 15 bucks, you can get a little programmable computer, essentially, and start poking away at it. I dug into MicroPython and submitted some patches and did some cool stuff with some boards and had as lot of fun and it cost me 10 bucks, maybe. You can get started pretty easily doing some of the basics. If you’re looking for ways to learn how to exploit stuff that you can Google. Insecure.org has some really great mailing list stuff on it. You can see what’s new. Looking through new CDEs is kind of an interesting way of learning about stuff. There’s really not a great way to get an intro aside from having somebody mentor you or essentially breaking the law right now, which I do not recommend.

Craig Cannon [56:13] – Yeah, it’s like, “I’ll take you one step further.” Do you have any favorite last questions from podcasts?

Leah Culver [56:22] – Okay, is there anything, any common philosophies, in software development or security that you disagree with?

Tom Sparks [56:31] – There are some old school methodologies of things, where it was really kind of security by obscurity and that stuff is just, it’s B.S. basically. If you want to be a good software developer you have to be good at the tools you use regularly. I know three or four programming languages. I don’t think that’s really super useful, that advice. I know LOLCODE. I know some pretty silly stuff. Doing esoteric stuff is not recommended on either side. I don’t think I can think of a methodology that would be good or bad. Some people rely a little bit too much on source code control. I feel like, maybe, the Git security model is pretty bad when you compare it to some of the older stuff. But the usability you get out of it is way, way higher, so I don’t think those things really go together. I don’t know.

Craig Cannon [57:43] – Yeah, I think I’d just fall on the side of being really good with your tool rather than always looking for the newest tool. That’s just been tiring to me with my limited experience as an engineer, where it’s like, “Oh, you have to use this language or this framework or this thing.” And just like, “How about we just get really good at Python?” or, “Choose your tool.” But, yeah, that would be mine. How about you?

Leah Culver [58:07] – Well that’s a really good one. Oh man, I just had some and then I just forgot them all. That was such a good one. I love it, yeah, yeah.

Craig Cannon [58:15] – Alright, thanks for listening. As always, the video and transcript are at blog.ycombinator.com. If you have a second, please subscribe and review the show. Alright, see you next week.